Multiple vulnerabilities in IBM AIX
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 16 |
| CVE-ID | CVE-2017-10345 CVE-2017-10295 CVE-2017-10281 CVE-2017-10350 CVE-2017-10347 CVE-2017-10349 CVE-2017-10348 CVE-2017-10357 CVE-2017-10355 CVE-2017-10356 CVE-2017-10309 CVE-2017-10388 CVE-2017-10285 CVE-2017-10346 CVE-2016-10165 CVE-2017-10165 |
| CWE-ID | CWE-264 CWE-200 CWE-284 |
| Exploitation vector | Network |
| Public exploit |
Public exploit code for vulnerability #9 is available. Public exploit code for vulnerability #11 is available. |
| Vulnerable software |
IBM AIX Operating systems & Components / Operating system |
| Vendor | IBM Corporation |
Security Bulletin
This security bulletin contains information about 16 vulnerabilities.
1) Improper access control
EUVDB-ID: #VU8871
Risk: Low
CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-10345
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition.
The weakness exists due to a flaw in the Serialization component. A remote attacker can trigger partial denial of service.
Insatll upfate from vendor's website.
Vulnerable software versionsIBM AIX: 5.3 - 7.2
CPE2.3- cpe:2.3:o:ibm_corporation:ibm_aix:5.3:*:*:*:*:*:*:*
- cpe:2.3:o:ibm_corporation:ibm_aix:6.1:*:*:*:*:*:*:*
- cpe:2.3:o:ibm_corporation:ibm_aix:7.1:*:*:*:*:*:*:*
https://aix.software.ibm.com/aix/efixes/security/java_oct2017_advisory.asc
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Improper access control
EUVDB-ID: #VU8867
Risk: Low
CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-10295
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to access potentially sensitive information.
The weakness exists due to a flaw in the Javadoc component. A remote attacker can partially modify arbitrary files on the target system.
Insatll upfate from vendor's website.
Vulnerable software versionsIBM AIX: 5.3 - 7.2
CPE2.3- cpe:2.3:o:ibm_corporation:ibm_aix:5.3:*:*:*:*:*:*:*
- cpe:2.3:o:ibm_corporation:ibm_aix:6.1:*:*:*:*:*:*:*
- cpe:2.3:o:ibm_corporation:ibm_aix:7.1:*:*:*:*:*:*:*
https://aix.software.ibm.com/aix/efixes/security/java_oct2017_advisory.asc
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Denial of service
EUVDB-ID: #VU8863
Risk: Low
CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-10281
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition.
The weakness exists due to a flaw in the Serialization component. A remote attacker can trigger partial denial of service on the target system.
Insatll upfate from vendor's website.
Vulnerable software versionsIBM AIX: 5.3 - 7.2
CPE2.3- cpe:2.3:o:ibm_corporation:ibm_aix:5.3:*:*:*:*:*:*:*
- cpe:2.3:o:ibm_corporation:ibm_aix:6.1:*:*:*:*:*:*:*
- cpe:2.3:o:ibm_corporation:ibm_aix:7.1:*:*:*:*:*:*:*
https://aix.software.ibm.com/aix/efixes/security/java_oct2017_advisory.asc
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Improper access control
EUVDB-ID: #VU8875
Risk: Low
CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-10350
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition.
The weakness exists due to a flaw in the JAX-WS component. A remote attacker can trigger partial denial of service.
Insatll upfate from vendor's website.
Vulnerable software versionsIBM AIX: 5.3 - 7.2
CPE2.3- cpe:2.3:o:ibm_corporation:ibm_aix:5.3:*:*:*:*:*:*:*
- cpe:2.3:o:ibm_corporation:ibm_aix:6.1:*:*:*:*:*:*:*
- cpe:2.3:o:ibm_corporation:ibm_aix:7.1:*:*:*:*:*:*:*
https://aix.software.ibm.com/aix/efixes/security/java_oct2017_advisory.asc
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Denial of service
EUVDB-ID: #VU8864
Risk: Low
CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-10347
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition.
The weakness exists due to a flaw in the Serialization component. A remote attacker can trigger partial denial of service on the target system.
Insatll upfate from vendor's website.
Vulnerable software versionsIBM AIX: 5.3 - 7.2
CPE2.3- cpe:2.3:o:ibm_corporation:ibm_aix:5.3:*:*:*:*:*:*:*
- cpe:2.3:o:ibm_corporation:ibm_aix:6.1:*:*:*:*:*:*:*
- cpe:2.3:o:ibm_corporation:ibm_aix:7.1:*:*:*:*:*:*:*
https://aix.software.ibm.com/aix/efixes/security/java_oct2017_advisory.asc
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Improper access control
EUVDB-ID: #VU8874
Risk: Low
CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-10349
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition.
The weakness exists due to a flaw in the JAXP component. A remote attacker can trigger partial denial of service.
Insatll upfate from vendor's website.
Vulnerable software versionsIBM AIX: 5.3 - 7.2
CPE2.3- cpe:2.3:o:ibm_corporation:ibm_aix:5.3:*:*:*:*:*:*:*
- cpe:2.3:o:ibm_corporation:ibm_aix:6.1:*:*:*:*:*:*:*
- cpe:2.3:o:ibm_corporation:ibm_aix:7.1:*:*:*:*:*:*:*
https://aix.software.ibm.com/aix/efixes/security/java_oct2017_advisory.asc
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Improper access control
EUVDB-ID: #VU8873
Risk: Low
CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-10348
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition.
The weakness exists due to a flaw in the Libraries component. A remote attacker can trigger partial denial of service.
Insatll upfate from vendor's website.
Vulnerable software versionsIBM AIX: 5.3 - 7.2
CPE2.3- cpe:2.3:o:ibm_corporation:ibm_aix:5.3:*:*:*:*:*:*:*
- cpe:2.3:o:ibm_corporation:ibm_aix:6.1:*:*:*:*:*:*:*
- cpe:2.3:o:ibm_corporation:ibm_aix:7.1:*:*:*:*:*:*:*
https://aix.software.ibm.com/aix/efixes/security/java_oct2017_advisory.asc
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Improper access control
EUVDB-ID: #VU8878
Risk: Low
CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-10357
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition.
The weakness exists due to a flaw in the Serialization component. A remote attacker can trigger partial denial of service.
Insatll upfate from vendor's website.
Vulnerable software versionsIBM AIX: 5.3 - 7.2
CPE2.3- cpe:2.3:o:ibm_corporation:ibm_aix:5.3:*:*:*:*:*:*:*
- cpe:2.3:o:ibm_corporation:ibm_aix:6.1:*:*:*:*:*:*:*
- cpe:2.3:o:ibm_corporation:ibm_aix:7.1:*:*:*:*:*:*:*
https://aix.software.ibm.com/aix/efixes/security/java_oct2017_advisory.asc
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) Improper access control
EUVDB-ID: #VU8876
Risk: Low
CVSSv4.0: 2.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/U:Clear]
CVE-ID: CVE-2017-10355
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to cause DoS condition.
The weakness exists due to a flaw in the Networking component. A remote attacker can trigger partial denial of service.
Insatll upfate from vendor's website.
Vulnerable software versionsIBM AIX: 5.3 - 7.2
CPE2.3- cpe:2.3:o:ibm_corporation:ibm_aix:5.3:*:*:*:*:*:*:*
- cpe:2.3:o:ibm_corporation:ibm_aix:6.1:*:*:*:*:*:*:*
- cpe:2.3:o:ibm_corporation:ibm_aix:7.1:*:*:*:*:*:*:*
https://aix.software.ibm.com/aix/efixes/security/java_oct2017_advisory.asc
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
10) Improper access control
EUVDB-ID: #VU9120
Risk: Low
CVSSv4.0: 4.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-10356
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The weakness exists due to a flaw in the Security component. A remote
attacker can gain unauthorized access to sensitive information.
Insatll upfate from vendor's website.
Vulnerable software versionsIBM AIX: 5.3 - 7.2
CPE2.3- cpe:2.3:o:ibm_corporation:ibm_aix:5.3:*:*:*:*:*:*:*
- cpe:2.3:o:ibm_corporation:ibm_aix:6.1:*:*:*:*:*:*:*
- cpe:2.3:o:ibm_corporation:ibm_aix:7.1:*:*:*:*:*:*:*
https://aix.software.ibm.com/aix/efixes/security/java_oct2017_advisory.asc
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
11) Improper access control
EUVDB-ID: #VU8868
Risk: Low
CVSSv4.0: 2.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/U:Clear]
CVE-ID: CVE-2017-10309
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to access potentially sensitive information and cause DoS condition.
The weakness exists due to a flaw in the Deployment component. A remote attacker can partially read and modify arbitrary files and cause partial denial of service on the target system.
Insatll upfate from vendor's website.
Vulnerable software versionsIBM AIX: 5.3 - 7.2
CPE2.3- cpe:2.3:o:ibm_corporation:ibm_aix:5.3:*:*:*:*:*:*:*
- cpe:2.3:o:ibm_corporation:ibm_aix:6.1:*:*:*:*:*:*:*
- cpe:2.3:o:ibm_corporation:ibm_aix:7.1:*:*:*:*:*:*:*
https://aix.software.ibm.com/aix/efixes/security/java_oct2017_advisory.asc
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
12) Privilege escalation
EUVDB-ID: #VU8881
Risk: Low
CVSSv4.0: 6.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-10388
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain elevated privileges.
The weakness exists due to a flaw in the Libraries component. A remote attacker can escalate his privileges on the target system.
Insatll upfate from vendor's website.
Vulnerable software versionsIBM AIX: 5.3 - 7.2
CPE2.3- cpe:2.3:o:ibm_corporation:ibm_aix:5.3:*:*:*:*:*:*:*
- cpe:2.3:o:ibm_corporation:ibm_aix:6.1:*:*:*:*:*:*:*
- cpe:2.3:o:ibm_corporation:ibm_aix:7.1:*:*:*:*:*:*:*
https://aix.software.ibm.com/aix/efixes/security/java_oct2017_advisory.asc
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
13) Privilege escalation
EUVDB-ID: #VU8865
Risk: Low
CVSSv4.0: 6.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-10285
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain elevated privileges.
The weakness exists due to a flaw in the RMI component. A remote attacker can escalate his privileges on the target system.
Insatll upfate from vendor's website.
Vulnerable software versionsIBM AIX: 5.3 - 7.2
CPE2.3- cpe:2.3:o:ibm_corporation:ibm_aix:5.3:*:*:*:*:*:*:*
- cpe:2.3:o:ibm_corporation:ibm_aix:6.1:*:*:*:*:*:*:*
- cpe:2.3:o:ibm_corporation:ibm_aix:7.1:*:*:*:*:*:*:*
https://aix.software.ibm.com/aix/efixes/security/java_oct2017_advisory.asc
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
14) Privilege escalation
EUVDB-ID: #VU8872
Risk: Low
CVSSv4.0: 6.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-10346
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain elevated privileges.
The weakness exists due to a flaw in the Hotspot component. A remote attacker can escalate his privileges on the target system.
Insatll upfate from vendor's website.
Vulnerable software versionsIBM AIX: 5.3 - 7.2
CPE2.3- cpe:2.3:o:ibm_corporation:ibm_aix:5.3:*:*:*:*:*:*:*
- cpe:2.3:o:ibm_corporation:ibm_aix:6.1:*:*:*:*:*:*:*
- cpe:2.3:o:ibm_corporation:ibm_aix:7.1:*:*:*:*:*:*:*
https://aix.software.ibm.com/aix/efixes/security/java_oct2017_advisory.asc
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
15) Information disclosure
EUVDB-ID: #VU8861
Risk: Low
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2016-10165
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to obtain potentially sensitive information.
The weakness exists due to a flaw in the 2D (Little CMS 2) component. A remote attacker can read arbitrary files on the target system.
Insatll upfate from vendor's website.
Vulnerable software versionsIBM AIX: 5.3 - 7.2
CPE2.3- cpe:2.3:o:ibm_corporation:ibm_aix:5.3:*:*:*:*:*:*:*
- cpe:2.3:o:ibm_corporation:ibm_aix:6.1:*:*:*:*:*:*:*
- cpe:2.3:o:ibm_corporation:ibm_aix:7.1:*:*:*:*:*:*:*
https://aix.software.ibm.com/aix/efixes/security/java_oct2017_advisory.asc
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
16) Denial of service
EUVDB-ID: #VU8991
Risk: Low
CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-10165
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote high-privileged attacker to cause DoS condition on the target system.
The weakness exists due to an error in the MySQL Server component of Oracle MySQL (subcomponent: Server: Replication). A remote attacker can use multiple protocols to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server.
Successful exploitation of the vulnerability results in denial of service.
Insatll upfate from vendor's website.
Vulnerable software versionsIBM AIX: 5.3 - 7.2
CPE2.3- cpe:2.3:o:ibm_corporation:ibm_aix:5.3:*:*:*:*:*:*:*
- cpe:2.3:o:ibm_corporation:ibm_aix:6.1:*:*:*:*:*:*:*
- cpe:2.3:o:ibm_corporation:ibm_aix:7.1:*:*:*:*:*:*:*
https://aix.software.ibm.com/aix/efixes/security/java_oct2017_advisory.asc
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
